Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThjOGMtNHZmai1ycnBj
Reflected Cross-Site Scripting in redis-commander
Affected versions of redis-commander
contain a cross-site scripting vulnerability in the highlighterId
paramter of the clipboard.swf component on hosts serving Redis Commander.
Mitigating factors:
Flash must be installed / enabled for this to work. The below proof of concept was verified to work using Firefox 57.0 on Windows 10 by manually installing the Flash NPAPI Windows plugin
Proof of concept
http://instance/jstree/_docs/syntax/clipboard.swf?highlighterId=\%22))}%20catch(e)%20{alert(document.domain);}//
Recommendation
No direct patch for this vulnerability is currently available.
At this time, the best mitigation is to use an alternative, functionally equivalent package, or to use extreme caution when using redis-commander, ensuring that redis-commmander is the only web page you have open, and avoiding clicking on any links.
Permalink: https://github.com/advisories/GHSA-8c8c-4vfj-rrpcJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThjOGMtNHZmai1ycnBj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-8c8c-4vfj-rrpc
References:
- https://hackerone.com/reports/296377
- https://www.npmjs.com/advisories/562
- https://github.com/joeferner/redis-commander/commit/1a483ebb3a706cf199dd283cf0aead96606adb14
- https://github.com/joeferner/redis-commander/releases/tag/v0.5.0
- https://github.com/advisories/GHSA-8c8c-4vfj-rrpc
Blast Radius: 0.0
Affected Packages
npm:redis-commander
Dependent packages: 5Dependent repositories: 57
Downloads: 13,522 last month
Affected Version Ranges: >= 0.0.0, < 0.5.0
Fixed in: 0.5.0
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.1.0, 0.1.1, 0.2.1, 0.3.0, 0.3.2, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5
All unaffected versions: 0.5.0, 0.6.0, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.7.0, 0.7.2, 0.8.0